Pasquale Imperato reported that the $host parameter to the traceroute()function in Traceroute.php is not properly sanitized before beingpassed to exec().

Impact======

A remote attacker could exploit this vulnerability when user input ispassed directly to PEAR Net_Traceroute in a PHP script, possiblyresulting in the remote execution of arbitrary shell commands with theprivileges of the user running the affected PHP script.

Workaround==========

Ensure that all data that is passed to the traceroute() function isproperly shell escaped (for instance using the escapeshellcmd()function).

This GLSA and any updates to it are available for viewing atthe Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200911-06.xml

Concerns?=========

Security is a primary focus of Gentoo Linux and ensuring theconfidentiality and security of our users machines is of utmostimportance to us. Any security concerns should be addressed tosecurity@gentoo.org or alternatively, you may file a bug athttps://bugs.gentoo.org.